Configuring Certificate Revocation Checking
Reflection SSL/TLS and Secure Shell connections can be configured to authenticate hosts using digital certificates. To ensure that certificates have not been revoked, you can configure Reflection to check for certificate revocation using CRLs or using an OCSP responder.
When CRL checking is enabled, Reflection always checks for CRLs in any location specified in the CRL Distribution Point (CDP) field of the certificate. In addition, Reflection can also be configured to check for CRLs located in an LDAP directory or using an OCSP responder.
Reflection's default value for certificate revocation checking is based on your current system setting. If your system is configured to do CRL checking, all Reflection sessions will check for certificate revocation using CRLs by default.
Note: When Reflection is running in DOD PKI mode, certificate revocation is always enabled and cannot be disabled.
To enable CRL checking for your system:
Using Reflection, you can enable certificate revocation checking using either a CRL or an OCSP responder.
To enable CRL checking for Secure Shell sessions:
To enable CRL checking for SSL/TLS sessions:
Note: CRLs and/or OCSP responders required by a certificate are identified in the AIA and/or CDP extension of the certificate. If this information is not provided in the certificate, you can use the OCSP and LDAP tabs of the Reflection Certificate Manager to configure it.